Hacking Team – Phineas Fisher Hack

In July 5, 2015, the Twitter account of “Hacking Team”, an Italian based company who sells it’s spyware and malware technology to law enforcement around the world, suddenly tweeted, “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code.” Along with the odd tweet was a link to Pastebin with a dump of approximately 400 GBs of the Hacking Team’s internal data, emails and source code of their surveillance tool, Remote Control System.

As it turns out the hack and the tweet came from a hacktivist named “Phineas Fisher.” His name was a play on the the name of the malware “FinFisher,” which a company called Gamma International had developed. Gamma International sold similar spyware technologies to law enforcement and governments as did Hacking Team, and Fisher had also hacked them a year prior.

Fisher broke in using a zero day vulnerability and via an embedded device was able to gain a foothold with a remote root exploit. Eventually he was able to find backups from their Exchange server and soon found an admin account password. From there he was able to pull the company’s passwords in their entirety. At that point he found passwords in a sysadmins emails with access to the group’s GitLab source code library. With that password he was able to grab the entire source code of their flagship product, the Remote Control System.

Fisher claims the entire exploit took “100 hours” saying: That’s all it takes to take down a company and stop their human rights abuses. That’s the beauty of asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win.

A few weeks after the hack, Fisher agreed to an on camera interview with Vice Canada, with the odd (and hilarious) condition that they use either a Kermit the Frog puppet or some other “homemade non-trademark violating puppet” to relay the words on camera that Fisher typed via chat.

This is the interview:

In January of 2017, Spanish police authorities arrested three hacking suspects, one of whom they claimed was Phineas Fisher. However, someone using Fisher’s email address said in an email to “Motherboard” that they had arrested the wrong activist and that, “I think the Mossos just arrested some people that retweeted the link to their personal info, or maybe just arrested some activisty/anarchisty people to pretend they are doing something.”

Interesting Facts:

Fisher posted a how-to guide called “Hack Back! A DIY Guide” describing exactly how he breached Hacking Group’s security. It also describes much of his philosophy and motivations for the hack. It can be found here